Microsoft Sentinel’s AI-driven UEBA ushers in the next era of behavioral analytics
Co-author - Ashwin Patil Security teams today face an overwhelming challenge: every data point is now a potential security signal and SOCs are drowning in complex logs, trying to find the needle in the haystack. Microsoft Sentinel User and Entity Behavior Analytics (UEBA) brings the power of AI to automatically surface anomalous behaviors, helping analysts cut through the noise, save time, and focus on what truly matters. Microsoft Sentinel UEBA has already helped SOCs uncover insider threats, detect compromised accounts, and reveal subtle attack signals that traditional rule-based methods often miss. These capabilities were previously powered by a core set of high-value data sources - such as sign-in activity, audit logs, and identity signals - that consistently delivered rich context and accurate detections. Today, we’re excited to announce a major expansion: Sentinel UEBA now supports six new data sources including Microsoft first- and third-party platforms like Azure, AWS, GCP, and Okta, bringing deeper visibility, broader context, and more powerful anomaly detection tailored to your environment. This isn’t just about ingesting more logs. It’s about transforming how SOCs understand behavior, detect threats, and prioritize response. With this evolution, analysts gain a unified, cross-platform view of user and entity behavior, enabling them to correlate signals, uncover hidden risks, and act faster with greater confidence. Newly supported data sources are built for real-world security use cases: Authentication activities MDE DeviceLogonEvents – Ideal for spotting lateral movement and unusual access. AADManagedIdentitySignInLogs – Critical for spotting stealthy abuse of non - human identities. AADServicePrincipalSignInLogs - Identifying anomalies in service principal usage such as token theft or over - privileged automation. Cloud platforms & identity management AWS CloudTrail Login Events - Surfaces risky AWS account activity based on AWS CloudTrail ConsoleLogin events and logon related attributes. GCP Audit Logs - Failed IAM Access, Captures denied access attempts indicating reconnaissance, brute force, or privilege misuse in GCP. Okta MFA & Auth Security Change Events – Flags MFA challenges, resets, and policy modifications that may reveal MFA fatigue, session hijacking, or policy tampering. Currently supports the Okta_CL table (unified Okta connector support coming soon). These sources feed directly into UEBA’s entity profiles and baselines - enriching users, devices, and service identities with behavioral context and anomalies that would otherwise be fragmented across platforms. This will complement our existing supported log sources - monitoring Entra ID sign-in logs, Azure Activity logs and Windows Security Events. Due to the unified schema available across data sources, UEBA enables feature-rich investigation and the capability to correlate across data sources, cross platform identities or devices insights, anomalies, and more. AI-powered UEBA that understands your environment Microsoft Sentinel UEBA goes beyond simple log collection - it continuously learns from your environment. By applying AI models trained on your organization’s behavioral data, UEBA builds dynamic baselines and peer groups, enabling it to spot truly anomalous activity. UBEA builds baselines from 10 days (for uncommon activities) to 6 months, both for the user and their dynamically calculated peers. Then, insights are surfaced on the activities and logs - such as an uncommon activity or first-time activity - not only for the user but among peers. Those insights are used by an advanced AI model to identify high confidence anomalies. So, if a user signs in for the first time from an uncommon location, a common pattern in the environment due to reliance on global vendors, for example, then this will not be identified as an anomaly, keeping the noise down. However, in a tightly controlled environment, this same behavior can be an indication of an attack and will surface in the Anomalies table. Including those signals in custom detections can help affect the severity of an alert. So, while logic is maintained, the SOC is focused on the right priorities. How to use UEBA for maximum impact Security teams can leverage UEBA in several key ways. All the examples below leverage UEBA’s dynamic behavioral baselines looking back up to 6 months. Teams can also leverage the hunting queries from the "UEBA essentials" solution in Microsoft Sentinel's Content Hub. Behavior Analytics: Detect unusual logon times, MFA fatigue, or service principal misuse across hybrid environments. Get visibility into geo-location of events and Threat Intelligence insights. Here’s an example of how you can easily discover Accounts authenticating without MFA and from uncommonly connected countries using UEBA behaviorAnalytics table: BehaviorAnalytics | where TimeGenerated > ago(7d) | where EventSource == "AwsConsoleSignIn" | where ActionType == "ConsoleLogin" and ActivityType == "signin.amazonaws.com" | where ActivityInsights.IsMfaUsed == "No" | where ActivityInsights.CountryUncommonlyConnectedFromInTenant == True | evaluate bag_unpack(UsersInsights, "AWS_") | where InvestigationPriority > 0 // Filter noise - uncomment if you want to see low fidelity noise | project TimeGenerated, _WorkspaceId, ActionType, ActivityType, InvestigationPriority, SourceIPAddress, SourceIPLocation, AWS_UserIdentityType, AWS_UserIdentityAccountId, AWS_UserIdentityArn Anomaly detection Identify lateral movement, dormant account reactivation, or brute-force attempts, even when they span cloud platforms. Below are examples of how to discover UEBA Anomalous AwsCloudTrail anomalies via various UEBA activity insights or device insights attributes: Anomalies | where AnomalyTemplateName in ( "UEBA Anomalous Logon in AwsCloudTrail", // AWS ClousTrail anomalies "UEBA Anomalous MFA Failures in Okta_CL", "UEBA Anomalous Activity in Okta_CL", // Okta Anomalies "UEBA Anomalous Activity in GCP Audit Logs", // GCP Failed IAM access anomalies "UEBA Anomalous Authentication" // For Authentication related anomalies ) | project TimeGenerated, _WorkspaceId, AnomalyTemplateName, AnomalyScore, Description, AnomalyDetails, ActivityInsights, DeviceInsights, UserInsights, Tactics, Techniques Alert optimization Use UEBA signals to dynamically adjust alert severity in custom detections—turning noisy alerts into high-fidelity detections. The example below shows all the users with anomalous sign in patterns based on UEBA. Joining the results with any of the AWS alerts with same AWS identity will increase fidelity. BehaviorAnalytics | where TimeGenerated > ago(7d) | where EventSource == "AwsConsoleSignIn" | where ActionType == "ConsoleLogin" and ActivityType == "signin.amazonaws.com" | where ActivityInsights.FirstTimeConnectionViaISPInTenant == True or ActivityInsights.FirstTimeUserConnectedFromCountry == True | evaluate bag_unpack(UsersInsights, "AWS_") | where InvestigationPriority > 0 // Filter noise - uncomment if you want to see low fidelity noise | project TimeGenerated, _WorkspaceId, ActionType, ActivityType, InvestigationPriority, SourceIPAddress, SourceIPLocation, AWS_UserIdentityType, AWS_UserIdentityAccountId, AWS_UserIdentityArn, ActivityInsights | evaluate bag_unpack(ActivityInsights) Another example shows anomalous key vault access from service principal with uncommon source country location. Joining this activity with other alerts from the same service principle increases fidelity of the alerts. You can also join the anomaly UEBA Anomalous Authentication with other alerts from the same identity to bring the full power of UEBA into your detections. BehaviorAnalytics | where TimeGenerated > ago(1d) | where EventSource == "Authentication" and SourceSystem == "AAD" | evaluate bag_unpack(ActivityInsights) | where LogonMethod == "Service Principal" and Resource == "Azure Key Vault" | where ActionUncommonlyPerformedByUser == "True" and CountryUncommonlyConnectedFromByUser == "True" | where InvestigationPriority > 0 Final thoughts This release marks a new chapter for Sentinel UEBA—bringing together AI, behavioral analytics, and cross-cloud and identity management visibility to help defenders stay ahead of threats. If you haven’t explored UEBA yet, now’s the time. Enable it in your workspace settings and don’t forget to enable anomalies as well (in Anomalies settings). And if you’re already using it, these new sources will help you unlock even more value. Stay tuned for our upcoming Ninja show and webinar (register at aka.ms/secwebinars), where we’ll dive deeper into use cases. Until then, explore the new sources, use the UEBA workbook, update your watchlists, and let UEBA do the heavy lifting. UEBA onboarding and setting documentation Identify threats using UEBA UEBA enrichments and insights reference UEBA anomalies reference
Ingesting Akamai Audit Logs into Microsoft Sentinel using Azure Function Apps
Introduction Akamai provides extensive audit logs that can be valuable for security monitoring and compliance. To integrate Akamai Audit logs with Microsoft Sentinel, we can use Azure Function Apps to retrieve logs via the Akamai EdgeGrid API and send them to Log Analytics Workspace. In this guide, we will walk through deploying an Azure Function App that fetches Akamai Audit Logs and ingests them into Microsoft Sentinel. Prerequisites Before starting, ensure you have: An active Azure subscription with Microsoft Sentinel enabled. Akamai API credentials (EdgeGrid authentication: client_token, client_secret, and access_token). A Log Analytics Workspace (LAW) where logs will be ingested. Azure Function App deployed via VS Code. Python installed locally (Use the VSCode for the local deployment). High-Level Architecture Azure Function App calls Akamai API to fetch audit logs. Logs are parsed and sent to Microsoft Sentinel via Log Analytics API request to Azure Function App. Scheduled Execution ensures logs are fetched periodically. Step 1: Create an Azure Function App To deploy an Azure Function App via VS Code: Install the Azure Functions extension for VS Code. Install Azure Core Tools: npm install -g azure-functions-core-tools@4 --unsafe-perm true Create a Python-based Function App: func init AkamaiLogsFunction --python cd AkamaiLogsFunction func new --name FetchAkamaiLogs --template "HTTP trigger" --authlevel "anonymous" Step 2: Install Required Python Packages In your Function App directory, install the required dependencies: pip install requests akamai.edgegrid pip freeze > requirements.txt Step 3: Configure Environment Variables Instead of hardcoding API credentials, store them in Azure Function App settings: Go to Azure Portal > Function App. Navigate to Configuration > Application settings. Add the following environment variables: AKAMAI_CLIENT_TOKEN AKAMAI_CLIENT_SECRET AKAMAI_ACCESS_TOKEN WORKSPACE_ID (Log Analytics Workspace ID) SHARED_KEY (Log Analytics Shared Key) Step 4: Implement the Azure Function Code Create AkamaiLogFetcher.py with the following code: import azure.functions as func import logging import requests from akamai.edgegrid import EdgeGridAuth from urllib.parse import urljoin import os app = func.FunctionApp() # Azure Function HTTP Trigger @app.function_name(name="AkamaiLogFetcher") @app.route(route="fetchlogs", auth_level=func.AuthLevel.ANONYMOUS) def fetch_logs(req: func.HttpRequest) -> func.HttpResponse: logging.info("Processing Akamai log fetch request...") # Akamai API credentials (move these to Azure App Settings for security) baseurl = 'https://YOURBASEHOSTURL.luna.akamaiapis.net/' client_token = os.getenv("AKAMAI_CLIENT_TOKEN", "xxxxxxxxxxxxxx") client_secret = os.getenv("AKAMAI_CLIENT_SECRET", "xxxxxxxxxxxxx") access_token = os.getenv("AKAMAI_ACCESS_TOKEN", "xxxxxxxxxxxxxx") # Initialize session with authentication session = requests.Session() session.auth = EdgeGridAuth( client_token=client_token, client_secret=client_secret, access_token=access_token ) try: # Call Akamai API response = session.get(urljoin(baseurl, '/events/v3/events')) response.raise_for_status() # Raise an error for HTTP errors # Return response as JSON return func.HttpResponse(response.text, mimetype="application/json", status_code=response.status_code) except requests.exceptions.RequestException as e: logging.error(f"Error fetching logs: {e}") return func.HttpResponse(f"Failed to fetch logs: {str(e)}", status_code=500) Step 5: Deploy the Function to Azure Run the following command to deploy the function: func azure functionapp publish <YourFunctionAppName> Step 6: Setting Up the Logic App Workflow Create a new Logic App in Azure: Navigate to the Azure Portal -> Logic Apps -> Create. Choose Consumption Plan and select your preferred region. Click Review + Create, then Create. Add an HTTP Trigger: Select Recurrence as the trigger. Configure it to run every 10 minutes. Configure the HTTP Action to Fetch Logs from Akamai Function App API: Use the HTTP action in Logic Apps. Set the method to GET. Enter the Function App URL. Add the required headers (content type). Parse the JSON Response: Use the "Parse JSON" action to structure the response. Define the schema using a sample response from Akamai Audit Logs. Send Logs to Microsoft Sentinel: Use the "Azure Log Analytics - Send Data" action. Map the Akamai Audit log fields to the Log Analytics schema. Select the appropriate Custom Table in Log Analytics or use CommonSecurityLog. JSON Request body for Send Logs trigger Completed Logic App will look like this: Step 7: Testing and Validation Run a test execution of the Logic App. Check the Logic Apps run history to ensure successful Function App calls and data ingestion. Verify logs in Sentinel: Navigate to Microsoft Sentinel -> Logs. Run a KQL query: RadwareEvents_CL | where TimeGenerated > ago(10m) Summary This guide demonstrated how to use Azure Function Apps and Logic Apps to fetch Akamai Audit Logs via API and send them to Microsoft Sentinel. The serverless approach ensures efficient log collection without requiring dedicated infrastructure.Table Talk: Sentinel’s New ThreatIntel Tables Explained
Key updates On April 3, 2025, we publicly previewed two new tables to support STIX (Structured Threat Information eXpression) indicator and object schemas: ThreatIntelIndicators and ThreatIntelObjects. To summarize the important dates: 31 August 2025: We previously announced that data ingestion into the legacy ThreatIntelligenceIndicator table would cease on the 31 July 2025. This timeline has now been extended and the transition to the new ThreatIntelIndicators and ThreatIntelObjects tables will proceed gradually until the 31 st of August 2025. The legacy ThreatIntelligenceIndicator table (and its data) will remain accessible, but no new data will be ingested there. Therefore, any custom content, such as workbooks, queries, or analytic rules, must be updated to reference the new tables to remain effective. If you require additional time to complete the transition, you may opt into dual ingestion, available until the official retirement on the 21 st of May 2026, by submitting a service request. 31 May 2026: ThreatIntelligenceIndicator table support will officially retire, along with ingestion for those who opt-in to dual ingestion beyond 31 st of August 2025. What’s changing: ThreatIntelligenceIndicator VS ThreatIntelIndicators and ThreatIntelObjects Let’s summarise some of the differences. ThreatIntelligenceIndicator ThreatIntelIndicators ThreatIntelObjects Status Extended data ingestion until the 31st of August 2025, opt-in for additional transition time available. Deprecating on the 31st of May 2026 — no new data will be ingested after this date. Active and recommended for use. Active and complementary to ThreatIntelIndicators. Purpose Originally used to store threat indicators like IPs, domains, file hashes, etc. Stores individual threat indicators (e.g. IPs, URLs, file hashes). Stores STIX objects that provide contextual information about indicators. Examples: threat actors, malware families, campaigns, attack patterns. Characteristics Limitations: o Less flexible schema. o Limited support for STIX (Structured Threat Information eXpression) objects. o Fewer contextual fields for advanced threat hunting. Enhancements: o Supports STIX indicator schema. o Includes a Data column with full STIX object data for advanced hunting. o More metadata fields (e.g. LastUpdateMethod, IsDeleted, ExpirationDateTime). o Optimized ingestion: excludes empty key-value pairs and truncates long fields over 1,000 characters. Enhancements: o Enables richer threat modelling and correlation. o Includes fields like StixType, Data.name, and Data.id. Use cases Legacy structure for storing threat indicators. Migration Note: All custom queries, workbooks, and analytics rules referencing this table must be updated to use the new tables . Ideal for identifying and correlating specific threat indicators. Threat Hunting: Enables hunting for specific Indicators of Compromise (IOCs) such as IP addresses, domains, URLs, and file hashes. Alerting and detection rules: Can be used in KQL queries to match against telemetry from other tables (e.g. Heartbeat, SecurityEvent, Syslog). Example query correlating threat indictors with threat actors: Identify threat actors associated with specific threat indicators Useful for understanding relationships between indicators and broader threat entities (e.g. linking an IP to a known threat actor). Threat Hunting: Adds context by linking indicators to threat actors, malware families, campaigns, and attack patterns. Alerting and Detection rules: Enrich alerts with context like threat actor names or malware types. Example query listing TI objects related to a threat actor, “Sangria Tempest.” : List threat intelligence data related to a specific threat actor Benefits of the new ThreatIntelIndicators and ThreatIntelObjects tables In addition to what’s mentioned in the table above. The main benefits of the new table include: Enhanced Threat Visibility More granular and complete representation of threat intelligence. Support for advanced hunting scenarios and complex queries. Enables attribution to threat actors and relationships. Improved Hunting Capabilities Generic parsing of STIX patterns. Support for all valid STIX IoCs, Threat Actors, Identity, and Relationships. Important considerations with the new TI tables Higher volume of data being ingested: o In the legacy ThreatIntelligenceIndicator table, only the IoCs with Domain, File, URL, Email, Network sources were ingested. o The new tables support a richer schema and more detailed data, which naturally increases ingestion volume. The Data column in both tables stores full STIX objects, which are often large and complex. o Additional metadata fields (e.g. LastUpdateMethod, StixType, ObservableKey, etc.) increase the size of each record. o Some fields like description and pattern are truncated if they exceed 1,000 characters, indicating the potential for large payloads. More Frequent Republishing: o Previously, threat intelligence data was republished over a 12-day cycle. Now, all data is republished every 7-10 days (depending on the volume), increasing the ingestion frequency and volume. o This change ensures fresher data but also leads to more frequent ingestion events. o Republishing is identifiable by LastUpdateMethod = "LogARepublisher" in the tables. Optimising data ingestion There are two mechanisms to optimise threat intelligence data ingestion and control costs. Ingestion Rules See ingestion rules in action: Introducing Threat Intelligence Ingestion Rules | Microsoft Community Hub Sentinel supports Ingestion Rules that allow organizations to curate data before it enters the system. In addition, it enables: Bulk tagging, expiration extensions, and confidence-based filtering, which may increase ingestion if more indicators are retained or extended. Custom workflows that may result in additional ingestion events (e.g. tagging or relationship creation). Reduce noise by filtering out irrelevant TI Objects such as low confidence indicators (e.g. drop IoCs with a confidence score of 0), suppressing known false positives from specific feeds. These rules act on TI objects before they are ingested into Sentinel, giving you control over what gets stored and analysed. Data Collection Rules/ Data transformation As mentioned above, the ThreatIntelIndicator and ThreatIntelObjects tables include a “Data” column which contains the full original STIX object and may or may not be relevant for your use cases. In this case, you can use a workspace transformation DCR to filter it out using a KQL query. An example of this KQL query is shown below, for more examples about using workspace transformations and data collection rules: Data collection rules in Azure Monitor - Azure Monitor | Microsoft Learn source | project-away Data A few things to note: o Your threat intelligence feeds will be sending the additional STIX objects data and IoCs, if you prefer not to receive these additional TI data, you can modify the filter out data according to your use cases as mentioned above. More examples are mentioned here: Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel (Preview) - Microsoft Sentinel | Microsoft Learn o If you are using a data collection rule to make schema changes such as dropping the fields, please make sure to modify the relevant Sentinel content (e.g. detection rules, Workbooks, hunting queries, etc.) that are using the tables. o There can be additional cost when using Azure Monitor data transformations (such as when adding extra columns or adding enrichments to incoming data), however, if Sentinel is enabled on the Log Analytics workspace, there is no filtering ingestion charge regardless of how much data the transformation filters. New Threat Intelligence solution pack available A new Threat Intelligence solution is now available in the Content Hub, providing out of the box content referencing the new TI tables, including 51 detection rules, 5 hunting queries, 1 Workbook, 5 data connectors and also includes 1 parser for the ThreatIntelIndicators. Please note, the previous Threat Intelligence solution pack will be deprecated and removed after the transition phase. We recommend downloading the new solution from the Content Hub as shown below: Conclusion The transition to the new ThreatIntelIndicators and ThreatIntelObjects tables provide enhanced support for STIX schemas, improved hunting and alerting features, and greater control over data ingestion allowing organizations to get deeper visibility and more effective threat detection. To ensure continuity and maximize value, it's essential to update existing content and adopt the new Threat Intelligence solution pack available in the Content Hub. Related content and references: Work with STIX objects and indicators to enhance threat intelligence and threat hunting in Microsoft Sentinel Curate Threat Intelligence using Ingestion Rules Announcing Public Preview: New STIX Objects in Microsoft SentinelPreview the new Microsoft 365 LTI® for your LMS
Enhance your LMS with the power of Microsoft 365 We are excited to announce the public preview of Microsoft 365 LTI. Experience the full potential of Microsoft 365 directly within your Learning Management System (LMS) through a simple to integrate learning tool interoperability (LTI). Microsoft 365 LTI makes LMS integrations simple, with a powerful tool designed to introduce new capabilities to streamline and simplify deployment. Deploy and access the new Microsoft 365 LTI in your LMS with the overview and deployment guides. At-a-glance: The Microsoft 365 LTI is now in Public Preview, bringing all your favorite Microsoft Education tools into a single, seamless experience inside your LMS. No more juggling multiple integrations - just streamlined access to everything educators and students need, right where they work. This includes: Unified access to OneDrive, Teams, Class Notebook, Reflect, and more, directly in your LMS Add content, create assignments, and schedule meetings - all from one place No need to enable multiple tools separately or clutter your LMS menus Replaces deprecated Teams Meetings and Team Classes LTI tools Expanding support for Microsoft Assignments, OneDrive, OneNote Class Notebooks, and Reflect Available for Canvas, Schoology, Blackboard, D2L Brightspace, Moodle, and more Let’s dive into the new Microsoft 365 LTI to streamline your learning management system experience We are bringing our Microsoft Education capabilities for learning management systems together into a single tool and streamlined user experience. Educators will be able to access Learning Accelerators, Reflect, OneDrive, Teams, and more in their LMS courses, without having to enable multiple tools separately, and without overcrowding menus where LTI tools are surfaced. Whether adding content to a module, creating an assignment, or scheduling a meeting for a class, you will be able to easily access Microsoft Education related features directly in your LMS workflow. Microsoft 365 LTI debuts with replacements for the deprecated Teams Meetings and Team Classes LTI tools that sunset on 9/15/2025. The capabilities of Microsoft Assignments, OneDrive, OneNote Class Notebooks, and Reflect will also be added to the Microsoft 365 LTI in preview, and those existing LTIs will continue to be supported as their capabilities transition. Microsoft 365 LTI will be available for all currently supported LMS platforms, including Canvas by Instructure, PowerSchool Schoology Learning, Blackboard by Anthology, D2L/Brightspace, and Moodle™, and for any LTI 1.3 Advantage compliant platform. Learning Accelerators and AI-enhanced assignments in your LMS (without Microsoft Teams) With the Microsoft 365 LTI, you will be able to use Learning Accelerators, multiple-document submissions, AI rubric and instructions generation, AI-assisted feedback, auto-graded Forms and other Microsoft Education assignment capabilities directly within your learning management system (LMS), without the need to create and sync a Microsoft Team for your class. Assignments in Microsoft 365 LTI no longer require Teams, enabling more LMS users to benefit from advanced, AI-enhanced capabilities that were formerly exclusive to Microsoft Teams for Education. Assignments can be created, managed, completed, and graded, without leaving your LMS, and grades and feedback will sync automatically to the LMS gradebook. This capability is included automatically in the new Microsoft 365 LTI tool. Existing, Teams-based assignments will continue to work and can be copied to new courses, so no migration is necessary. This enhancement will apply to all currently supported LMS platforms, including Canvas, Schoology, Blackboard, D2L Brightspace, and Moodle. Teams and Teams Meetings Microsoft 365 LTI replaces the former Teams Classes LTI and Teams Meetings LTI tools, with improved user experience. Users can easily schedule, manage, and launch meetings from directly within their LMS course. The tool provides streamlined views of future and past meetings, consolidated attendance reports, and a new “Meet Now” capability. Automatic rostering in Class Notebooks returns with the Microsoft 365 LTI In March, we announced the retirement of automatically adding newly rostered students and co-educators to OneNote Class Notebooks provisioned through the LMS using the LTI 1.1 integration. This much-loved feature is back in the new Class Notebook app in Microsoft 365 LTI. Any instructor in the LMS course can create a Class Notebook and all co-educators and students automatically added to the notebook, even as the LMS roster changes. In addition, the new integration enables OneNote with the benefits of LTI 1.3 conformance and a modernized provisioning flow for educators to easily deploy new Class Notebooks for their courses. Existing notebooks created in the LTI 1.1 integration will continue to work, and sections and pages can be easily copied to new notebooks. OneDrive and Microsoft 365 files with embedded editors and new placements The new Microsoft 365 LTI tool expands beyond the capabilities of the existing OneDrive LTI tool. The full capabilities of Word, PowerPoint, and Excel, including Microsoft 365 Copilot, are now available within the LMS experience for attaching content resources, collaborative documents (including Collaborations for Canvas Courses and Groups!), and students editing and submitting Microsoft 365 documents as an assignment without leaving the LMS. Documents can be embedded or linked into courses and other LMS activities like discussions, announcements, pages, with proper management of permissions to prevent oversharing, and with dedicated course-level storage to support proper document lifecycle management, assignment workflows, and use of Microsoft 365 Copilot. Easily add Reflect to your classroom toolset Microsoft 365 LTI provides easy access to Microsoft Reflect to support student wellbeing in the classroom. Educators can create check-ins, view responses, and monitor trends within an LMS course. Users can access activities from Microsoft and partners such as Calm to support physical and mental wellbeing. For more information, and to keep up with future product announcements Please visit the Microsoft Tech Community Education Blog and subscribe to keep up with what’s new in Microsoft Education. We also hold bi-monthly office hours every first and third Thursday where lots of LMS + Microsoft 365 customers come to discuss scenarios and get assistance from peers, please join us! Microsoft 365 LTI Office Hours 1 st and 3 rd Thursday of each month @11am EST Join link: https://aka.ms/LTIOfficeHours We can’t wait to hear your feedback! Try out the preview today. How to get help or send feedback For any issues deploying the integration, our Education Support team is here to help. Please visit https://aka.ms/EduSupport Once deployed, the Teams Assignments integration has links to Contact Support and Send Feedback from right within the app. These can be found in the user voice menu in the upper right on any view that appears within the LMS. Learn more about Microsoft feedback for your organization. Learning Tools Interoperability® (LTI®) is a trademark of the 1EdTech Consortium, Inc. (1edtech.org) The word Moodle and associated Moodle logos are trademarks or registered trademarks of Moodle Pty Ltd or its related affiliates.What’s New in Microsoft Teams | August 2025
Welcome to the August edition of What’s New in Microsoft Teams! As Teams continues to evolve, this month’s updates bring a fresh wave of innovation designed to help you work smarter, collaborate more effectively, and stay connected across your organization. Whether you’re catching up on conversations or preparing for your next big meeting, Teams is here to support your productivity with intelligent, user-friendly features. Among the standout releases this month is a feature that expands how you can express yourself, another feature that helps to streamline your workflow, and multiple enhancements to desk booking. First, “Multiple emoji reactions” lets you combine several emojis to share more complex reactions in a quick and concise way. Second, IT administrators can now upload custom dictionaries for Copilot in Teams, ensuring that meeting transcripts and Intelligent Recap reflect your organization’s unique terminology. Finally, your desk booking experience just got easier, with features that let you book a desk from a map and near a colleague. Together, these enhancements make Teams smarter and more personalized, helping you unlock deeper insights and collaborate with greater clarity than ever before. Take a look at the details of those features, and all the others we’re launching this month! New features released this month: Chat and collaboration Meetings, webinars, and town halls Teams Phone Workplace: Places and Teams Rooms Fundamentals and Security Frontline Worker Solutions Certified for Teams Devices Chat and Collaboration Filter for messages with files in contextual search Finding shared content in Teams just got easier with the latest enhancements to the Find in Chat/Channel experience. Users can now quickly locate documents and media shared across conversations without scrolling through long threads. The updated experience enables filtering messages to show only those with attachments, and search results now include file chiclets—making it easy to identify messages containing files at a glance. These updates improve productivity and reduce friction when searching for shared content in conversations. Search with SQL-like commands When searching in Teams, you can now efficiently narrow down your search results by using SQL-like commands in the search bar. This allows you to quickly filter messages, files, or conversations with precise queries such as from:username or in:channel. This feature provides users with a familiar and structured method to find information swiftly and accurately. Keyboard Shortcuts Customize your keyboard shortcuts in Teams to work the way that’s most intuitive to you. Whether you want to set your own shortcuts based on your workflow preferences or you're used to shortcuts from other tools like Slack or Zoom, Teams lets you set up commands that match your habits, helping you work efficiently. Create your own custom commands or choose from preset layouts inspired by other apps. Just head to the top bar menu (•••), select Keyboard shortcuts, and use the dropdown to pick a layout or edit any shortcut to make it your own. Saved message view Quickly get back to important information without scrolling through long conversations. You can save messages in chats and channels and find them later in the saved messages view in your chat list. From the saved view, click on a saved message to open the full conversation in the right pane, where you can review or reply directly. Multiple Emoji Reactions You can react to messages and posts with multiple reactions per message, enhancing your ability to express a wide range of emotions effectively. Now you can respond to your manager’s leadership update with a "check” and “thank you” emoji, showing you understand the update and are thankful for their transparency. You can use combinations of emojis like those for a richer and more nuanced response, quickly conveying your feelings and thoughts, like agreement, urgency or sentiment, without extra replies—keeping discussions focused and efficient, while expressing yourself comprehensively. Meetings, Webinars, and Town halls Personal meeting templates [Premium] Efficient collaboration begins with a seamless meeting setup. With personal meeting templates, users can create and customize templates tailored to their frequent meeting types—such as one-on-one connections, client engagements, or support sessions. Simply select your template, and all the pre-saved options are automatically applied, allowing meetings to start promptly and with confidence. Personal meeting templates save users time and effort in resetting meeting settings and ensure consistency across your organization. This capability is available with a Teams Premium license. Custom dictionaries now available to Copilot in Teams IT administrators can now upload custom dictionaries for their tenant in English, Spanish, Japanese, French, German, Portuguese, Italian, and Chinese (Simplified). This capability is accessible through the Copilot Settings page in the Microsoft 365 admin center. By integrating organization-specific terminology, custom dictionaries help the AI model produce more accurate and meaningful meeting transcripts. This enhancement benefits both Copilot and Intelligent Recap, ensuring your unique business language is recognized and reflected. Organizations can reduce misunderstandings and improve productivity by tailoring the AI to their needs. Take advantage of this new feature to unlock deeper insights from your meetings. Meeting organizers can send messages to attendees in the lobby with lobby chat Now meeting organizers can send one-way messages to attendees in the lobby via the lobby chat. The lobby chat is intended to optimize the lobby experience for all participants, ensuring that organizers are better equipped to run external meetings, have more control over meetings with external participants, and external attendees are well informed about the meeting upon meeting start. Edit your display name in Teams meetings Participants can now edit their display name during a Teams meeting — whether to reflect a preferred name, indicate a role (e.g., “Moderator” or “Interpreter”), or support inclusive self-representation. The change of display name is temporary and only visible during the meeting. The change is not permanent in any artifact like recording. Customize the screen in Teams Town halls through ‘Manage what attendees see’ [Premium] Organizers will be able to elevate their Teams Town hall presentations by customizing their screen with select layouts, backgrounds, and name tags using “Manage what attendees see” feature. This will result in a polished, high-quality, and engaging event experience. This feature is available with a Teams Premium License. Immersive events, experience customization tools and presenter tools [Premium] Microsoft Teams now supports immersive events, a new way to host large-scale, 3D virtual gatherings that hosts can schedule and attendees can join directly in Teams. Organizers with a Teams Premium license can design engaging spaces, customize event visuals, and host up to 300 attendees in a spatial audio environment that supports simultaneous conversations and cross-room interactions. This feature brings new and expanded immersive capabilities into the familiar Teams experience, making it easier to inspire ideas, foster inclusion, and build stronger connections. With the new Experience Customization Tools, event creators can personalize immersive spaces using intuitive design options, no coding required. Add logos, theme colors, images, and videos to a shared 3D canvas, resize and reposition objects, and save layouts as reusable templates for future events. In addition, improvements to Presenter tools make it simpler to host immersive, interactive 3D events with avatars in customizable 3D spaces. Improvements include: ‘Easy presentation start’, which consolidates required actions into a simple start flow Hosts can make sure attendees and speakers are in the right place by teleporting them to seating or presentation spaces in the 3D space Find-a-person gives the ability to search across rooms to find someone The simplified Control Panel provides a cleaner and simpler production experience with a pre-filtered content view Teams Phone Microsoft Shifts integration with Teams call queues Teams admins can leverage Teams scheduling groups created within the Shifts app in Teams to dynamically manage call routing to agents in call queues. Once scheduling groups and associated work shifts are established in the Shifts app, call queues can be configured to reference shift data. Call queues will then pull in the associated shift schedules, ensuring that calls to the queue are routed only to agents who are actively on shift. This integration enables: Streamlined workforce management by aligning call routing with shift schedules Greater flexibility in configuring call queues based on timing and team Learn more about Shifts in Teams, how to manage the Shifts app, and configuring a Shift for your call queue. Email notifications for phone number assignments Admins can send a Microsoft branded email notification to end-users with their newly assigned Teams Phone number while assigning/unassigning the number through Teams PowerShell cmdlet. This feature helps provide a welcoming onboarding experience for new Teams Phone users. User notifications include: The assigned or unassigned telephone number Activation timeline (up to 48 hours) Instructions for accessing the dial pad in Teams Links to learn more about Teams Phone capabilities Learn how to assign a phone number to a user through the Teams Admin Center. Device sign-in support for non-touch models Organizations now have increased sign-in flexibility for non-touch devices. Users are able to log in directly, without relying on device code flow (DCF) authentication. For example, a T9 keyboard can be used to enter credentials, providing an experience better tailored to the device. Workplace: Places and Teams Rooms Find certified for Teams devices for all types of spaces and uses at aka.ms/teamsdevices. Book desks using maps [Premium] You can now book a desk using an interactive, map-based experience. The new maps-first interface shows office layouts and is responsive on mobile devices and smaller screens. Whether reserving an individual desk or a pooled desk, the experience is optimized within Outlook and Teams calendars and across the Places app. This feature is available with a Teams Premium license. Book desks near colleagues [Premium] You can now book a desk based on where your colleagues are working. When selecting a desk, you’ll be able to see who is occupying nearby desks or find where a specific colleague plans to sit on a given day, then book a desk close to them. You always retain control over whether to share your own desk location with others. This capability is available with a Teams Premium license. Book desks for partial days and multiple days [Premium] Desk reservations are now more flexible in duration: you can book a desk for a partial day (just a few hours) or for multiple days in one go, rather than requiring a separate full-day booking for each day. This change accommodates real in-office workflows – for example, if you only need a desk for a morning, or conversely want to keep the same desk all week, you can do so easily. This feature is available with a Teams Premium license. Book desks on behalf of others [Premium] Delegates can now book desks for their principals. If you manage another person’s schedule, you can reserve a workspace on their behalf through the familiar calendar delegation workflow. This desk booking process mirrors existing Outlook calendar management, so it fits seamlessly into delegates’ routines. This feature is available with a Teams Premium license. Configure auto-release for no-show desk reservations Admins can now set desks to auto-release after a specific time frame if a user does not check in for their reservation. This frees up space for others, and helps maximize workspace utilization by ensuring no-show reservations don’t keep a desk locked all day. Learn more here. Enhanced walk-up desk booking experience for users Teams walk-up desk booking now features enhanced interface updates, showing reservation confirmation or notifications if desks are booked. The improved experience guides users on reservations, calendar syncing, and management. Learn more here. Configure new desk modes: reservable, drop-in, assigned, unavailable Administrators can configure desks in multiple modes to support different booking policies. Each desk can now be set to one of several modes, and this setting can be changed at any time to adapt to organizational needs. The available desk modes include: Reservable desks are configured to be booked in advance or on-the-spot. Drop-in desks are available for on-the-spot use and cannot be reserved in advance. You can use the capability from Microsoft Teams to link the peripheral devices present on these desks to the individual desk object in the directory. Assigned desks are permanently linked to a specific user and cannot be booked by others. Every assigned desk must always have a designated user. Unavailable desks are not available for reservation due to maintenance or for any other reason. These modes give organizations flexibility in managing how each workspace is utilized – from hoteling desks that anyone can book, to dedicated desks, to informal touchdown spots. Learn more here. New Places built-in admin role support Places now supports built-in Microsoft 365 admin roles for delegation. IT admins can assign responsibility for Places management to other administrators using standard roles, allowing day-to-day management tasks to be handled without elevated permissions. In practice, this means administrators can delegate tasks (like updating office space details or approving changes) to team members with appropriate built-in roles, streamlining operations. Learn more here. New Places admin dashboard Administrators can now manage Places directory data through a dedicated, user-friendly dashboard that provides a central interface to easily view and edit workspace directory information (such as office locations, desks, and rooms) and set and manage booking policies. This simplifies day-to-day management of workplace data by putting all relevant controls in one place. Fundamentals and Security Microsoft Teams: Support Audit logs for Give and Take Control and Screen share IT administrators will now have the ability to access detailed logs for both the "Give and Take Control" and "Screenshare" features. These logs will provide comprehensive information, including the names and timestamps of the individuals involved in each action. Specifically, the logs will indicate who initiated or received control, as well as who started the screenshare session, along with the corresponding timestamps and names. This enhancement ensures greater transparency and accountability for all control and screenshare activities. Accessible in Teams Admin Center. Learn more here. Frontline Worker Solutions New SharePoint Agent Integration in Teams Chats and Channels Starting in August, SharePoint agents can now be added to Teams channels. SharePoint agents allow users to create agents grounded on SharePoint sites, files and folders. For example, you can create an agent that pulls from a SharePoint library with compliance information. Within a channel, users can then query against those documents. Additionally, users can now add multiple SharePoint agents to a single group chat – an upgrade from the previous limitation of one agent per chat. Each agent brings its own specialized knowledge, perfect for reviewing documents, planning content, or collaborating across specs. Adding an agent is easy: just copy the link from SharePoint – just like you would to share any other file – and drop it into a post or reply. Then, interact with them by @mentioning the agent by name. These agents enhance conversations by offering tailored insights and support right when it's needed. Deploy Frontline Teams in Teams Admin Center We’re excited to announce new enhancements in the Teams Admin Center that make it easier than ever to set up and deploy your frontline teams with flexible membership. With our updated setup wizard, you can now complete configuration and deployment in one seamless flow—no need to navigate across multiple wizards to complete setup and deploy your first frontline teams. Whether you're onboarding a single team or scaling across multiple locations, the streamlined experience helps you move faster and with greater confidence. We’ve also introduced incremental save, allowing you to pause setup at any point and return later without losing progress. Plus, you can now validate your location attributes directly within the wizard to ensure your deployment includes the expected number of locations before going live. These updates are designed to simplify frontline deployment and give IT admins more control and flexibility every step of the way. Learn more here. Certified for Teams Devices EPOS IMPACT 100 MS Stereo and Mono USB-C+A headsets The IMPACT 100 is an entry-level headset that delivers exceptional value for money. With smart features that enhance efficiency and an ultra-lightweight design, it is an ideal headset for talk-heavy professionals. The soft headband and leatherette earpads ensure all-day comfort, while the in-line controller allows for easy call control. The USB-C to USB-A adapter eliminates connectivity concerns and certifications with Microsoft Teams and UC platforms guarantees seamless calls in any office setup. Logitech Rally Board 65 + Tap for Teams Rooms on Android (wired) Simplify the way you meet and collaborate. Introducing Rally Board 65 + Tap — the ultimate all-in-one video conferencing solution designed for meeting rooms and open spaces. The expansive 65” touchscreen of Rally Board enables a seamless and intuitive collaboration experience in any environment. Join meetings with just one touch with Tap, a touch controller for Microsoft Teams Rooms. Enjoy quick and easy setup, flexible installation options to place the camera above or below the screen for natural eye contact, and innovative AI-driven features. Yealink MeetingBar A50 with Touch Panel CTP25 Yealink MeetingBar A50 is an all-in-one video collaboration bar for medium-to-large rooms. This product delivers cutting-edge audio and video communication capabilities, powered by advanced AI technology, ensuring crystal-clear sound and ultra-HD visuals. With intelligent full-duplex, IntelliFocus, and video fence, it redefines the video conferencing experience, bringing unparalleled clarity and efficiency to every meeting. A50 uses Qualcomm's latest generation chip QCM8550, supporting 48 Tops of industry-leading computing power. Also it uses simple plug-and-play with a CTP25 controller. The Yealink MeetingBar A50 with Touch Panel Logitech Entry Level MeetUp 2 for Teams Rooms on Windows Upgrade your small rooms and BYOD spaces into certified Microsoft Teams Rooms on Windows. This solution is preconfigured for easy and affordable deployments and includes Logitech MeetUp 2 for powerful audio and video with next-gen features; Logitech Tap with USB Kit touch controller for easy, one-touch join meetings; and Lenovo mini PC to power operations. The Logitech Entry Level MeetUp 2 system with integrated camera/soundbar, controller and mini PCAvailable today: GPT-5 in Microsoft 365 Copilot
We’re excited to announce that GPT‑5—OpenAI’s best AI system to-date—is rolling out today in Microsoft 365 Copilot and Microsoft Copilot Studio across the world. GPT-5 is a significant leap in intelligence and becomes even more powerful when applied to work. Bringing GPT-5 to Copilot on the day of its release is part of our commitment to make OpenAI’s latest models available to customers in Microsoft 365 Copilot within 30 days. Copilot delivers the latest AI innovation, tuned for work and tailored to your business needs—with the security, compliance, and privacy that you expect from Microsoft. Continue reading here
Manager insights coming to Viva Insights web app, with new team view for Copilot Dashboard
We’re expanding the reach of the Copilot Dashboard and Reports page in Viva Insights to include managers, in addition to the senior leaders, delegates, and analysts supported today. Starting late September, managers will have default-on access to a team-scoped view of the Copilot Dashboard and related Reports tab, providing rich insights into Copilot adoption, impact, and learning, all automatically tailored to their teams. In addition, analysts will be able to publish from their library of available reports directly to managers. These reports will also appear in the Viva Insights web app and be scoped to the manager’s own team, making it easier to surface relevant, actionable insights based on manager need. This change also unifies all manager insights into a single destination: the Viva Insights web app. As part of this update, the manager capabilities currently available in the Viva Insights Teams app, such as Organizational behavior insights and Copilot chat insights, will no longer be supported. Managers will soon see a banner in the Teams app notifying them of the upcoming change. Once the rollout is complete, manager insights will only be available in the Viva Insights web app. Broader Copilot insights for managers Managers will gain a dedicated Copilot Dashboard scoped to their own teams, showing adoption, impact, and learning insights. They’ll also have access to the Reports page, which provides out-of-the-box Copilot reports with no setup required. Managers will have access to the Copilot for Sales adoption report, with more reports becoming available over time. Publishing to managers We’re extending the Viva Insights’ publishing capability so analysts can share reports directly with managers, in addition to senior leaders. This can give managers access to a broad library of reports automatically scoped to their own teams, covering topics like Copilot, collaboration, meeting effectiveness, and more. Published reports appear prominently on the Reports page as cards, making it easy for managers to explore detailed, team-specific insights with no setup required. This feature will launch in public preview at the same time as the above capabilities. Insight admins must enable it (if they haven’t already) before analysts can start publishing. No action needed to gain access to Copilot Dashboard team view There’s nothing managers or admins need to do to take advantage of these changes. If admins have previously modified manager settings, those settings will continue to apply. This includes any minimum group size thresholds you have set or any managers you have enabled for manager insights. Any delegates currently assigned to a manager will also continue to have the same access in the new experience. For organizations that haven’t made modifications, managers with the default minimum team size (10 members) will automatically gain access to the new capabilities in the Viva Insights web app. Managers will still need either a Viva Insights license or a Microsoft 365 Copilot license to access the new team-scoped dashboards. Your organization also needs to have at least 50 of these licenses to be eligible for Manager insights.
